• Earlier this year, the U.S. Supreme Court issued a major decision that set a new standard. People impacted by data errors cannot file a data breach lawsuit for damages unless there is actual, probable harm.
  • This week the Sixth Circuit Court of Appeals based in Ohio ruled that a person lacked standing to sue, even though their credit score dropped because their mortgage lender reported, by mistake, that they had failed to make a payment.
  • A data breach lawsuit is subject to the same rules for filing a claim. They are all but guaranteed to be tossed out of court unless there is actual harm from the breach at issue.
  • What can be done to address this? Congress can make it clear that organizations that fail to protect data can be sued based on the risk of future harm. Or states can pass their own laws allowing data breach lawsuits based on potential damages.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC’s) data breach tracking tool, notified.
  • If you believe you are the victim of identity theft, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website www.idtheftcenter.org.   

Measure for Measure

Welcome to the Identity Theft Resource Center’s (ITRC)Weekly Breach Breakdown for August 27, 2021. Our podcast is possible thanks to support from Abine and Experian. Each week we look at the most recent events and trends related to data security and privacy. Today we dive into a subject we haven’t explored before, and for good reason – filing a data breach lawsuit. It’s a bit complex and a little dry. However, it is very important when it comes to the concept of justice for victims of data breaches. So, bear with us as we talk about the legal idea of standing and what recent court rulings mean when it comes to the ability for data breach victims to sue for damages in federal courts.

Shakespeare mentioned the legal profession more than any other, outside of royalty, devoting several of his plays to various concepts of justice. One of his dark comedies – Measure for Measure – is even named for the very concept of justice: punishment should fit the crime.

That’s a concept that cuts both ways – for and against defendants in criminal courts, and the same is true of plaintiffs in civil trials where money damages are the punishment.

“Standing” Needed to File a Civil Data Breach Lawsuit

To file a civil lawsuit in federal court, you must have what is called “standing.” You must have a valid reason to stand at the bar of justice. For years, U.S. courts have been split over what is a good reason when it comes to the standing of a person whose personal information has been exposed in a data breach. Some courts said the mere threat of harm was enough to justify a data breach lawsuit. Others ruled that no, proof of actual harm was required before a data breach lawsuit could be filed. After a data breach, your ability to sue for damages had more to do with where you lived than what happened to your data.

U.S. Supreme Court Sets A New Standard for Data Breach Lawsuits

Earlier this year, though, the U.S. Supreme Court issued a major decision that set a new standard: People impacted by data errors cannot file a data breach lawsuit for damages unless there is actual, probable harm. Inconvenience, threat or harm no longer counts as an acceptable reason in some federal courts. Now, plaintiffs filing lawsuits based on those kinds of claims lack standing. No standing = no lawsuit.

Now, you may have noticed the subtle distinction that the Supreme Court decision was based on data errors, not data breaches. How very observant of you, and you are correct. However, it’s called the Supreme Court for a reason. Lower federal courts are bound to follow the decision of the Supremes and are now applying the new standard to similar but not identical cases.

Ohio Sixth Circuit Court of Appeals Ruling

This week the Sixth Circuit Court of Appeals based in Ohio ruled that a person lacked standing to sue, even though their credit score dropped because their mortgage lender reported, by mistake, that they had failed to make a payment. The lower credit score was inconvenient but not harmful, according to the Court.

What It Means for Data Breach Lawsuits

What does this have to do with data breaches? A data breach lawsuit is subject to the same rules for filing a claim. That means data breach lawsuits are all but guaranteed to be tossed out of court unless there is actual harm from the breach at issue. That’s very difficult to prove in the best of times. When there have already been more than 1,100 data breaches reported this year, how do you prove which data breach caused the harm?

That doesn’t even begin to address the bigger issue of identity criminals don’t always use the data right away, or only once. The risk of harm down the road is high, and the ITRC’s 2021 Consumer Aftermath Report shows nearly three in ten identity crime victims are hit a second or third time, sometimes before the original impacts are resolved.

What Can Be Done?

Congress can make it clear that organizations that fail to protect data can be sued based on the risk of future harm. Or states can pass their own laws allowing data breach lawsuits based on potential damages.

However, the reality is that this is the exact situation that Shakespeare wrote about in Measure for Measure: “O just, but severe law.”

Contact the ITRC

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours. Just visit www.idtheftcenter.org to get started.

Thanks again to Experian and Abine for supporting the ITRC and this podcast. We’ll be back next week with another episode of the Weekly Breach Breakdown.

  • The one-year anniversary of the California Consumer Privacy Act (CCPA) and CCPA enforcement has come. According to the California Attorney General (AG), 75 percent of complaints were resolved within 30 days. The other 25 percent are still within the 30-day grace period or are still under investigation.
  • The California AG’s report also includes 27 examples of complaints and what companies did to fix the potential violations.
  • California also released a tool that will make it easier for consumers to file complaints about businesses that do not have a clear and easy-to-find “Do Not Sell My Personal Information” link on their website’s homepage.
  • To learn about recent data breaches consumers and businesses should visit the ITRC’s data breach tracking tool, notified.
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

The Right Tool

Welcome to the Identity Theft Resource Center’s Weekly Breach Breakdown for July 23, 2021. Our podcast is possible thanks to support from Experian and Sentilink. Each week we look at the most recent events and trends related to data security and privacy. This week we look at the California Consumer Privacy Act (CCPA), the state law that gives consumers a way to push back against data breaches, and the one-year anniversary of CCPA enforcement.

I’m sure most of us have heard a parent or mentor say at one time or another, “You need the right tool for the right job.” When it comes to protecting privacy and personal information, the Mac-Daddy of protection tools is the CCPA.

News Statistics Released About CCPA Enforcement

California Attorney General (AG) Rob Bonta recently published statistics about the number of complaints his office has received alleging CCPA violations, including some examples. Seventy-five (75) percent of the complaints were resolved within the 30 days the law gives a business to comply once they are notified of a potential violation. The other 25 percent are still within the 30-day grace period or are still under investigation.

The most interesting part of the AG’s report is the 27 examples of complaints and what companies did to fix the potential violations. Notices to cure have been issued to data brokers, marketing companies, businesses handling children’s information, media outlets and online retailers. Some businesses prompted hundreds of CCPA enforcement complaints, while others generated millions.

Potential violations that have been cured include:

  • A business that manufactures and sells cars failed to notify consumers of how personal information was used as part of a vehicle test drive in addition to other omissions in its privacy policy. 
  • A grocery chain required consumers to provide personal information in exchange for participation in its company loyalty programs. The company did not provide a Notice of Financial Incentive to participating consumers.
  • A social media app was not timely responding to CCPA requests, and users publicly complained that they were not receiving notice that their CCPA requests had been received or acted on. 
  • An online dating platform that collected and sold personal information did not have a “Do Not Sell My Personal Information” link on its homepage or adequately explained its data-sharing practices.

Tool Released to Make It Easier for California Residents to File Complaints

AG Bonta also released a tool that makes it easy for California residents to directly complain to a business that does not have a clear and easy-to-find “Do Not Sell My Personal Information” link on their website’s homepage. That’s required by the CCPA, and the direct consumer complaints can trigger the process that can lead to CCPA enforcement action by the state AG.

More tools that allow consumers to help police the CCPA’s provisions, including damages paid directly to consumers for certain data breaches, may be offered in the future.

Contact the ITRC

If you have questions about CCPA enforcement, or how to keep your personal information private and secure, visit www.idtheftcenter.org, where you will find helpful tips.

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during normal business hours (6 a.m.-5 p.m. PST).

Thanks again to Sentilink and Experian for supporting the ITRC and this podcast. Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.

  • The Virginia Consumer Data Protection Act (VCDPA) will be the second strongest privacy law in the U.S., modeled after California privacy laws. It is scheduled to take effect on January 1, 2023. 
  • The VCDPA is not limited to people who live in Virginia. It applies to any businesses that collect the data of at least 100,000 Virginia residents during a calendar year, or at least 25,000 Virginia residents, and derives more than 50 percent of its gross revenue from the sale of personal information. 
  • Under the VCDPA, consumers will have the right to access personal data that businesses collect about them, correct inaccuracies in the data, request personal data be deleted in certain exceptions, and opt-in to the use of personal data and opt-out of the sale of personal data in certain circumstances. 
  • For information about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notified.   
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.  

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for February 26, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. Last week we talked about significant privacy changes being driven by a private company – specifically, Apple through an update in the operating system for iPhones. This week we focus on state laws that are fundamentally changing the legal and regulatory landscape across the country.

Some people of a certain age probably remember the School House Rock cartoons that, among other things, taught us about the functions of conjunctions. However, more memorably, about how laws are made. The short cartoon from 1975 gives us the title of today’s episode – “I’m just a bill…sitting here on Capitol Hill.”

New Virginia Privacy Law: “Virginia Consumer Data Protection Act (VCDPA)”

By the time people listen to the podcast or read the transcript, Governor Ralph Northam of Virginia is likely to have already signed the second strongest privacy law in the country, the Virginia Consumer Data Protection Act or VCDPA. Modeled after groundbreaking California privacy laws, the Virginia Consumer Data Protection Act adds new rights for Virginia residents and obligations for businesses that collect information about people who live in the Old Dominion.

However, VCDPA is not limited to businesses based in Virginia. Like the California Consumer Privacy Act (CCPA) and the European Union’s privacy law (GDPR) before that, the VCDPA applies to any business anywhere in the world if it:

  1. Collects the personal data of at least 100,000 Virginia residents during a calendar year; or
  2. Collects the personal data of at least 25,000 Virginia residents and derives more than 50 percent of its gross revenue from the sale of personal information.

Non-profits, government agencies, and colleges and universities are exempt, along with a few institutions regulated by certain federal privacy laws.

Under the Virginia Consumer Data Protection Act, consumers will have the right to:

  • Access personal data that a business collects and uses about them;
  • Correct inaccuracies in that data;
  • Request that personal data be deleted subject to certain exceptions;
  • Opt-in to the use of sensitive data in certain circumstances, with sensitive information being personal attributes like race or sexual orientation, biometric information, children’s information, and location data.
  • Opt-out of the sale of personal information and certain automated processes based on personal data. The VCDPA also requires businesses to let individuals opt-out of the sale of personal data to third parties as well as “targeted advertising.”

When the Virginia Consumer Data Protection Act Will Take Effect

Businesses will have until January 1, 2023 – when the VCDPA goes into effect – to get ready to comply with the law, the same day California’s updated privacy law, the California Privacy Rights Act (CPRA), becomes effective. Unlike the California law, the enforcement of the Virginia law will be the exclusive jurisdiction of the state attorney general – no individual consumer lawsuits are allowed for now.

Other Privacy Laws in the Works

The January 1, 2023 date could be crowded with new state privacy laws. There are currently ten other states considering similar privacy and cybersecurity laws and two that have established study commissions that will be required to report back to their state lawmakers by 2022.

The Possibility of a Federal Privacy Law

What about a federal privacy law passed by Congress that applies uniformly across the country? Even with a new Congress, many of the same roadblocks remain from past Congresses. One side wants state laws to be overruled, and the other side wants a federal law to be a floor, not a ceiling for the states. There is also the unanswered question about the ability of individuals to file lawsuits over violations of privacy.

Contact the ITRC

If anyone has questions about how to keep their personal information private and how to protect it, they can visit www.idtheftcenter.org, where they will find helpful tips on these and many other topics.

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. People can speak with an expert advisor on the phone, chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started.

Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.

*Updated as of 3/10/2021

  • The third round of stimulus payments is on the way. Scammers are aware, too, which means another round of scams as well.
  • Remember, the Internal Revenue Service (IRS) will not text, email or call anyone about a stimulus payment. If someone receives an unsolicited message from someone claiming to be with the IRS, it is probably a scam. Consumers should contact the IRS directly to verify before they respond. 
  • Offers that require people to pay to receive a stimulus benefit or to use a service to get a payment faster are also signs of a stimulus payment scam. 
  • Consumers can track their new stimulus checks once they are sent. Then can visit the IRS “Get My Payment” page to follow their payments.  
  •  To learn more about stimulus payment scams, the new stimulus payment or if someone suspects they are the victim of a stimulus scam, they can contact the Identity Theft Resource Center toll-free at 888.400.5530 or by live-chat on the company website.  

New Stimulus Payments Approved by Lawmakers 

Lawmakers voted to approve the third stimulus package since the coronavirus pandemic. The package includes a $1,400 stimulus payment for anyone who earns $75,000 or less (the payments start to phase out at $75,000), extends jobless aid supplement and programs making more people eligible for unemployment insurance, and much more.

Late in 2020, lawmakers agreed on a new stimulus package, which included a $600 stimulus payment for anyone who earned $75,000 or less. There was also a reduced payment for anyone who made $75,000-$99,000.

In the spring of 2020, the first batch of stimulus payments assisted Americans in need of financial relief due to the economic impacts of COVID-19. Criminals took advantage of the situation by offering to help benefit recipients speed access to their stimulus funds. Criminals stole checks from nursing home residents, out of people’s mailboxes, and even from postal trucks. The Identity Theft Resource Center (ITRC) saw some of those methods used to steal identity information and stimulus payments the second time around, and expect to see it again. The ITRC has also had a sharp rise in reported stolen stimulus payments and stimulus payment scams cases.

As of March 10, 2021, the Federal Trade Commission (FTC) had logged more than 382,000 consumer complaints related to COVID-19 and stimulus payments totaling more than $366 million in losses. Two-thirds of the complaints involved fraud or identity theft. The median fraud loss per person is $325.

New stimulus checks mean more scams are on the way. With more stimulus payment fraud expected, consumers should know how to spot a scam and what to do if an identity criminal contacts them.

Possible Stimulus Payment Scams 

According to the Washington Post, researchers recently discovered a campaign of thousands of emails that sought to trick Americans into filling out a phony form to “apply” for American Rescue Plan checks from the IRS before the third stimulus package was even passed by congress. The emails encouraged recipients to download an Excel sheet that launched malicious software that steals personal banking information and other login credentials once downloaded.

Criminals use different schemes to trick people, and they can be expected to do the same this time, as seen above. Here are a few things for people to watch for that indicate that someone might be the target of a stimulus payment scam:

  • Text messages and emails about stimulus payments – Criminals use text messages and emails to send malicious links in hopes that people will click on them to divulge personal information or insert malware onto someone’s device. If anyone receives a text message or email about a stimulus check or direct deposit with a link to click or a file to open, they should ignore it. It’s a scam because the IRS will not contact anyone unsolicited by text, email or phone to discuss a stimulus payment. 
  • Asked to verify financial information – The IRS will not call, text or email anyone to verify their information. If information needs to be confirmed, people will be directed to an IRS web page. This includes retirees who might not typically file a tax return.  
  • A fake check in the mail – Anyone who earns $75,000 or less will get $1,400. People who make between $75,000-$80,000 will receive a reduced amount. Anyone who gets a check and has questions about the amount, or thinks the check seems suspicious, should contact the IRS.
  • Offers for faster payments – Any claim offering payment faster through a third-party is a scam. All new stimulus checks will come from the IRS, and the IRS says there is no way to expedite a payment.  
  • Pay to get a check – No one has to pay to receive a stimulus check. New stimulus checks will be deposited directly into the same banking account used for previous stimulus payments or the most recent tax refund. If the IRS does not have someone’s direct deposit information, a check or prepaid card will be mailed to the last known address on file at the IRS.
  • Stolen checks – The ITRC has received numerous complaints from consumers about their stimulus checks being stolen. If anyone believes their payment is stolen, they should visit IDTheft.gov, where they can report, “Someone filed a Federal tax return – or claimed an economic stimulus payment – using my information.”

What to Do If You’re a Victim of Stimulus Payment Scams 

 If anyone believes their information may have been compromised or their stimulus payment was stolen, the IRS suggests people report it to the IRS and FTC simultaneously through IdentityTheft.gov. If anyone wants to learn more about stimulus payment scams or if someone believes they are the victim of a stimulus payment scam, they may also contact the Identity Theft Resource Center toll-free. Consumers can call (888.400.5530) or live-chat on the website. People can go to www.idtheftcenter.org to get started.

  • Approximately 56 percent of California voters passed The California Privacy Rights Act (CPRA). The law will be the toughest privacy law in the U.S. once it goes into effect in 2023.
  • California residents will have more control over what happens to their personal information when businesses collect it. Consumers from the state can also have information corrected they think is inaccurate.
  • California businesses will be required to update agreements with contractors and sub-contractors that binds them to meet the provisions of the CPRA.
  • For more information on the privacy law, contact the ITRC at no-cost by calling 888.400.5530 or by live-chat on the company website.

California voters went to the polls to decide the fate of the strongest privacy law in the United States. After counting the ballots, Proposition 24 – The California Privacy Rights Act (CPRA) – passed and will go into effect in 2023.

Subscribe to the Weekly Breach Breakdown Podcast

Every week the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant privacy and cybersecurity news in our Weekly Breach Breakdown Podcast. This week, we look at CPRA and what it means for businesses and consumers.

How The California Privacy Rights Act Passed

Approximately 56 percent of California voters approved the privacy law. However, Big Tech and Big Privacy joined forces to oppose the proposal. The initiative was proposed to strengthen the existing state privacy law, The California Consumer Privacy Act (CCPA), in many different ways.

What Consumers Need to Know About The California Privacy Rights Act

There are a few different things for California residents to know about the CPRA:

  1. Since voters approved the CPRA and not the state legislature, it will be more difficult to amend the law in the future. The legislature must submit any proposed changes to the popularly approved law to the voters in a future election. That makes it very difficult to weaken the privacy provisions in the CPRA.
  2. The CPRA gives California residents even more control over what happens to their personal information when a business collects it. The CCPA gives residents the right to access the information companies collect about them and request it be deleted in certain circumstances. It also prohibits the sale of their information for marketing purposes. The CPRA will give consumers rights linked to sharing information – not just selling data to third parties – clarifying one of the most confusing parts of the current privacy law, the CCPA.
  3. The CPRA adds a right to correct any information that a consumer thinks is inaccurate. Californians will now have the right to opt-out of automated decision processes that use their personal information. Also, they will have the right to see how automated decision processes work.
  4. The CPRA creates a new category of personal information that California residents can access and control in certain circumstances, like sharing information with third parties. The new category is known as “sensitive personal information” and includes precise geolocation data, race, religion, sexual orientation, Social Security numbers and certain health information.
  5. Finally, the new privacy law gives consumers the right of data portability, which means someone can tell a company to share their information with another company. It is like when someone changes their mobile phone or insurance companies.

What Businesses Need to Know About The California Privacy Rights Act

Businesses will also have a host of new duties that apply to them:

  1. Companies will have to create data silos, meaning they will have to keep personal information used in marketing separate from other consumer information. Companies, especially smaller ones, are already struggling to meet the existing consumer rights of access, review, deletion and opt-out. The new provision could compound the compliance issues.
  2. The most significant change for businesses will be the requirement that companies update agreements with contractors and sub-contractors that bind them to meet the provisions of the CPRA. In past podcast episodes, the ITRC has talked about data breaches resulting from “supply chain attacks.” That is where a company has good cybersecurity. Still, a third-party vendor ends up breached, and the company’s customer data is exposed. The requirement to update agreements with contractors and sub-contractors is designed to address supply chain attacks and clarify that everyone in the supply chain is responsible for protecting consumer information.
  3. Businesses do get some benefits in the CPRA. Employee and B2B data are exempt from the law until at least 2023, and businesses may be charged fees if consumers opt-out of data collection and sharing. That provision is the reason privacy advocates joined Big Tech companies to oppose the CPRA.

Toughest Privacy Law in the United States

The CPRA will be the toughest privacy law in the U.S. when it goes into full effect in 2023. In the meantime, state officials will propose the regulations needed to implement the new law. In the case of the CPRA, there will also be a new state agency created to enforce the new privacy law. For now, the California Attorney General will continue to enforce the existing law, CCPA.

Privacy Law Passed in Massachusetts

There was another state privacy law recently approved by a vote in Massachusetts. Car owners now have the right to see the information their car is wirelessly sharing with automakers. Approximately 75 percent of voters approved the proposal; carmakers have until 2022 to comply.

notifiedTM 

For information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC

If you have a question about The California Privacy Rights Act, data privacy, or if you receive a breach notice and you’d like to know how to protect yourself, contact the ITRC. You can speak with an expert advisor toll-free at 888.400.5530 or by live-chat on the company website. Also, download the free ID Theft Help App to access resources, a case log and much more. 

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.  

This post will be updated as more information becomes available

UPDATE: 6/15/2020- According to the Wall Street Journal, Treasury Secretary Steven Mnuchin said the administration is “very seriously considering” a second round of stimulus checks. The proposed $3 trillion Health and Economic Recovery Omnibus Emergency Solutions, or HEROES Act, was passed by the U.S. Senate but has not been passed by the U.S. House of Representatives. It would authorize another round of stimulus payments for most U.S. households. For more information on what the HEROES Act would provide, click here.

UPDATE: 4/29/2020- Anyone who did not file a tax return for 2018 or 2019 and have dependent children must register with the IRS by Tuesday, May 5, at noon EST to get an additional $500 economic impact payment for their dependents. If anyone misses the deadline, they will have to wait until they file their 2020 tax return to get the money. For more information on how to fill out a non-filer form, and how to avoid a non-filer scam, click here.

UPDATE: 4/15/2020 – Stimulus check have begun being distributed and people are already seeing them show up in their bank accounts. The IRS has created a portal where people can check the status of their economic impact payment. It could take a few minutes to load the website due to overload. However, people will be able to see what day they are expected to receive their payment, as well as the payment method.

Non-filers can now also file through the IRS to get their payment sooner. To learn how to file, and how to avoid a non-filer scam click here.

UPDATE 4/13/2020 – The Treasury Department and the IRS have announced that the distribution of stimulus checks will begin this week and that most of them will be deposited directly, requiring no action. Anyone who does not typically file a tax return will need to file a simple tax return to receive their stimulus check.

If there is anyone who has not filed their 2019 tax return but did file a 2018 return, the IRS will use the information provided in the 2018 return. The Treasury also plans on creating a web-based portal where people can enter their direct-deposit information online. The stimulus checks will be available to consumers through the end of 2020. For more information, consumers can visit IRS.gov/coronavirus. To learn more about the stimulus checks, click here. For tax rules to help you fill out your 2019 taxes, click here.

ORIGINAL 3/27/2020- With the COVID-19 pandemic impacting everyone across the United States, the U.S. federal government passed the largest stimulus package ever to help minimize the financial impacts for businesses and consumers. Coronavirus stimulus checks are being mentioned in the news daily, which is leading fraudsters to come up with stimulus check scams.

While there are a lot of questions about the $2 trillion stimulus package and stimulus check payments, most consumers should not have to take any action to receive their stimulus check because the payment will be directly deposited by the IRS into their bank account from the information provided on their 2018 or 2019 tax return. Payments will begin arriving in mid-April.

If anyone receives any messages or letters regarding a government check, it is very likely a coronavirus stimulus check scam. The government will not ask anyone for their Social Security number, bank account number or credit card number; the government will also not ask anyone to pay a fee upfront to get their government check; there will not be a way to “expedite payment” through a service provider either.

If anyone did not provide their bank account information on their last tax return, the IRS will mail people their stimulus checks. There have also been discussions about the possibility of sending some payments to consumers on prepaid debit cards to speed up the process. While that is a possibility, if someone reaches out saying that they can get the stimulus payment to you on a debit/credit card, please report it to local authorities or the Internet Crime Complaint Center (IC3) to verify whether it is real or fake.

With the stimulus package passing, people can expect to see a rise in stimulus check scams. When the government ends up mailing checks and/or prepaid debit cards, people can also expect to see a rise in prepaid card scams and physical mail theft.

To avoid any of these scams, consumers should make sure they have filed their taxes and have provided their direct deposit information to the IRS in their latest tax return. Consumers should also check to see if they are qualified to receive a coronavirus stimulus check, and for how much.

Finally, if consumers receive anything that does not seem correct or something they are not expecting, they should ignore it and go directly to the source to verify its legitimacy. There is a possibility it could be a stimulus check scam.

If people have questions regarding stimulus check scams, they are encouraged to contact the Identity Theft Resource Center through the website to live chat with an expert advisor. For those that cannot access the website, they can call the toll-free hotline (888.400.5530) and leave a message for an advisor. While the advisors are working remotely, there may be a delay in responding but someone will assist you as quickly as possible.


You might also like…

Unbeknownst to many consumers, the country’s most advanced consumer privacy act just went into effect on January 1, 2020. The California Consumer Privacy Act (CCPA) outlines some of the strongest protections for individual consumers and the companies they choose to do business with. However, some early reporting shows that a lot of people are still not aware of the new legislation.

DOWNLOAD OUR NEW CCPA INFOGRAPHIC HERE

CCPA provides new protections in the event of a data breach, new tools for consumers to find out exactly what information a company has collected and sold or shared and more. Under the CCPA, consumers also have the right to delete some personal information and opt-in for children. In the CCPA personal information is defined as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information under the CCPA does not include publicly available information.

 Companies doing business in California — whether they are located there or not, or simply have customers or users who reside in the state — must provide more than just the proof of information they have collected. If an individual consumer does not want their information sold to third parties, the CCPA states they have the right to opt-out and the companies must comply. Failure to comply could result in significant fines, penalties and damage awards of up to $7,500 per consumer.

Image of business with notice of CCPA

That has been a sticking point for a number of businesses, though.

There are questions about how businesses will comply with the do not sell requirements. Some companies are claiming that if they “share” their users’ data with an outside company, they are in compliance. The supporters of the CCPA have said selling or sharing is the same thing, though companies like Facebook, CVS, Indeed and others argue their methods of providing users’ information to outsiders does not violate the CCPA.

Image of Conde Nast disclosure of CCPA

Some of the other responsibilities of businesses include a child opt-in requirement, a website notice requirement, a duty to educate, vendor agreements, third-party transfers and cybersecurity protections to prevent a data breach. In the event of a data breach, consumers can now sue to recover up to $750 in costs per data breach. For more information about consumer rights in the event of a data breach or other CCPA rights, click here.

Image of business disclosure of CCPA

Though the California Consumer Privacy Act went into effect on January 1, businesses have until July 1 to comply before enforcement—and presumably, punitive action—begins. It will be interesting to see both how this plays out for businesses that make a lot of money by selling their customers’ information, and how many other states follow suit with legislation of their own.

Sign Up For Identity Theft and Data Breach News

Sign up for the TMI Weekly to stay in the know about potential threats to your identity/privacy and tips to keep you safe. Our monthly breach alert keeps you posted on the latest trends and activity in the world of breaches.

Free Identity Theft Assistance

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

This news is currently evolving and we will update as announcements are made available.  

You might also like…

As this year winds down, it is important to spend a little time reflecting on the 2019 identity crimes, some of the things that went right in 2019 and the things that did not go as well. This is true for so many subjects, especially identity crime – which includes scams, fraud, data breaches, cybercrime and all of the other types of crimes that go with it.

Fallout from 2018

As in previous years, this past year has been a big one for these kinds of crimes. Tech users are still feeling the aftermath of things like the Facebook/Cambridge Analytica privacy debacle that was uncovered last year; Congress is still at work on what to do about consumer privacy in the social media age. Also, the news that phishing attacks more than doubled last year over the year before had researchers, businesses, lawmakers and consumers alike paying closer attention to the messages they receive.

What Went Right in 2019

Fortunately, new legislation has come along to make our privacy lives a little safer. The General Data Protection Regulation (GDPR) regulations went into effect in Europe last year, for example, and they inflict strict penalties on businesses that gather and store data but let it fall into the wrong hands. New laws in California and Colorado will be taking effect soon, intent on strengthening privacy and consumer choice. Best of all, the awareness of what constitutes these kinds of crimes and how to recognize them is increasing.

Top Security Incidents of 2019

However, this welcome news does not mean that consumers are safe or that hackers are finally giving up. With every new platform, tool or technology, there is even greater potential for new avenues of attack. Healthcare providers and insurance companies continued to be one of the hardest-hit targets this year, thanks to the overwhelming amount of personally identifiable information (PII) they gather. “Accidental exposure” breaches were a common 2019 identity crime for major-name companies, which happens when businesses store huge databases of private information – in an online server then fail to password protect it as an example. Even our entertainment was not safe, as many apps and online gaming portals suffered data breaches that were traced back to reusing passwords on multiple sites.

2019 did not just see a lot of large data breaches, but settlements as well.

Equifax Settlement

In July, Equifax reached a $700 million settlement for harms caused by their data breach. Equifax agreed to spend $425 million to help victims of the breach, leading to lots of discussion on how to file a claim.

Facebook Settlement

While the Equifax settlement was the largest in data breach history to date, Facebook blew it out of the water just two days later, as they were ordered to pay $5 billion. After the settlement, Facebook said it required a “fundamental shift” in Facebook’s approach at every level of the company in terms of their privacy.

Yahoo Settlement

A month and a half later a Yahoo data breach settlement was proposed for $117.5 million after over three billion Yahoo accounts were exposed. Identity Theft Resource Center CEO, Eva Velasquez, stated in a media alert that the settlement trend is moving the needle in the right direction for both consumers and victims. However, that was not without its challenges, including putting the onus on the consumer to tell the settlement administrators how they were harmed and provide proof of it.

10,000 Breaches Reported

This past year the Identity Theft Resouce Center also recorded 10,000 publicly-notified data breaches since 2005. As part of the milestone, the ITRC took a look back at some of the top breaches the last 15 years as part of our 10,000 Breaches Later blog series.

Minimizing Future Risks

While data breach fatigue is a recognized phenomenon, one that can occur when consumers are bombarded with constant news about their data being compromised, the flip side is the kind of paranoia that makes you want to unplug and go live off the grid. However, neither of those is the solution. What does work is an awareness of the threat and some good privacy habits to prevent crimes like the 2019 identity crimes:

We’re Here to Help

Remember, you are not responsible for the criminal behaviors of a hacker. However, you can take steps that reduce your risk of becoming a victim and help minimize the damage if the worst does occur. The Identity Theft Resource Center is always here to help. Call us toll-free at 888.400.5530 or live-chat with one of our advisors.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Exercise Car Safety to Avoid Leaving Your Identity Behind

Holiday Phishing Scams Target Small Business

Social Security Phone Scam



A privacy law in California is changing and addresses biometric protection. As criminals find new and different ways to inflict harm, various laws have evolved over the years to address such needs. Driving laws, for example, have had to adapt to faster speeds, stronger engines, self-driving technology and cellular phones. Schools and medical offices have had to revisit their student or patient protections with the advent of computerized record keeping. Even sports organizations and their governing bodies have had to reevaluate their regulations in light of newer technologies and the studies behind sports-related injuries.

Update to the Information Practices Act of 1977

Now, a new privacy law signed by California’s Governor Gavin Newsom recently highlights the way that change can make a huge impact on a lot of people, especially where their privacy is concerned.

In California, a privacy law, the Information Practices Act of 1977, was still the deciding factor in prosecuting or filing civil suits in privacy cases. What lawmakers knew about personally identifiable information (PII) back then, as well as what criminals could do with it, was outdated, and it was time for a fresh look.

Now, thanks to the newly signed bill, biometric data is included in the kinds of information that companies must keep secured if they are going to gather it. As more and more companies use things like fingerprints or facial recognition software for a wide variety of purposes, the burden of protecting that information falls on them.

Change Needed Due to Increase in Data Breach Incidents Exposing PII

According to the Identity Theft Resource Center, the volume of PII exposed in data breaches increased by 126% between 2017 and 2018 to more than 446 million records exposed. The bill also re-examines how people must be notified in the event of a data breach. One of the positive trends in identity theft and fraud over the past few years has been the increasingly rapid response to breach events, especially in terms of notifying consumers quickly if they were victimized.

Perhaps the most important thing for lawmakers to recognize is the fluid nature of creating laws that protect the public. There have been cases historically in which a perpetrator of a heinous act was let go simply due to the fact there was no clear law in place to punish the offender. With updates to identity theft and privacy laws, the public will now be even more secure.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

New Texas Law Protects Victims of Coerced Debt

Popular VPN Provider, NordVPN, Breached by Hackers

Instagram Creates New Feature That Fights Phishing Attacks